[go: up one dir, main page]

WO2017061469A1 - Identification system, identification device and identification method - Google Patents

Identification system, identification device and identification method Download PDF

Info

Publication number
WO2017061469A1
WO2017061469A1 PCT/JP2016/079620 JP2016079620W WO2017061469A1 WO 2017061469 A1 WO2017061469 A1 WO 2017061469A1 JP 2016079620 W JP2016079620 W JP 2016079620W WO 2017061469 A1 WO2017061469 A1 WO 2017061469A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
infection
infected
state
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2016/079620
Other languages
French (fr)
Japanese (ja)
Inventor
泰大 寺本
博 胡
寿春 岸
永渕 幸雄
高明 小山
秀雄 北爪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NTT Inc
Original Assignee
Nippon Telegraph and Telephone Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nippon Telegraph and Telephone Corp filed Critical Nippon Telegraph and Telephone Corp
Priority to CN201680057393.7A priority Critical patent/CN108141408B/en
Priority to US15/765,527 priority patent/US10972490B2/en
Priority to AU2016335722A priority patent/AU2016335722B2/en
Priority to EP16853623.3A priority patent/EP3337106B1/en
Priority to JP2017544527A priority patent/JP6405055B2/en
Publication of WO2017061469A1 publication Critical patent/WO2017061469A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • G06F17/10Complex mathematical operations
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0813Configuration setting characterised by the conditions triggering a change of settings
    • H04L41/082Configuration setting characterised by the conditions triggering a change of settings the condition being updates or upgrades of network functionality
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Definitions

  • the present invention relates to a specific system, a specific device, and a specific method.
  • malware malicious software
  • malicious software such as malicious software and program code created with the intention of performing illegal and harmful operations such as computer viruses, spyware, and bots, known as malware
  • Attack Graph is a technology that evaluates network threats by collecting network system configuration, terminal OS / application information, and statically calculating intrusion route candidates of external attackers.
  • the conventional technology has a problem in that it is impossible to appropriately identify a terminal that is suspected of being infected or an infected terminal that may be infected in the future.
  • targeted attacks and APT attacks have the feature of expanding intrusion or infection to multiple terminals in the same network system via unauthorized intrusion or malware-infected terminals, which are detected by security devices Even if a countermeasure such as blocking is performed on the infected terminal, if there is another undetected infected terminal, the attack is continued through the terminal.
  • a countermeasure such as blocking
  • a specification system of the present invention includes a configuration information storage device that stores information about a terminal in a network, and a specification device that specifies a state of the terminal.
  • the configuration information storage device stores connection information indicating a connection relationship between terminals in the network, and the specific device detects security related to unauthorized intrusion into the network or terminal infection.
  • the detection information is received from the device, the state specifying unit for specifying the state of the terminal from the information of the terminal included in the detection information and the activity content of the terminal, and the state of the terminal is infected with malware by the state specifying unit If it is identified as a state, the detection information is included in the detection information based on the connection information stored by the configuration information storage device.
  • the infected terminal may infect a terminal located on a route that may be used for unauthorized intrusion or terminal infection in the future. It has the infection specific part to identify with the candidate of an infected terminal, It is characterized by the above-mentioned.
  • the specific device of the present invention receives detection information related to detection from a security device that detects activity related to unauthorized intrusion into a network including a plurality of terminals or infection of the terminals, and information on the terminals included in the detection information and
  • the state specifying unit that specifies the state of the terminal from the activity content of the terminal and the state specifying unit specifies that the state of the terminal is infected with malware
  • connection between terminals in the network Based on the connection information indicating the relationship, a terminal that is suspected of being infected before reaching the terminal activity content included in the detection information is identified, and the infected terminal may be used for unauthorized intrusion or terminal infection in the future. It is characterized by having an infection specifying unit for specifying a candidate for an infected terminal that may infect a terminal located on the route.
  • the identification method of the present invention is a identification method executed by the identification device, and receives detection information related to detection from a security device that detects activities related to unauthorized intrusion into a network including a plurality of terminals or terminal infection. Then, a state specifying step for specifying the state of the terminal from the information on the terminal included in the detection information and the activity content of the terminal, and the state specifying step is specified as a state in which the terminal is infected with malware. In such a case, based on the connection information indicating the connection relationship between the terminals in the network, the terminal that is suspected of being infected before reaching the activity content of the terminal included in the detection information is identified. Infection identification that identifies a candidate for an infected terminal that may infect a terminal located on a route that may be used for unauthorized intrusion or terminal infection Characterized in that it contains a degree.
  • FIG. 1 is a diagram illustrating an example of a configuration of a specific system according to the first embodiment.
  • FIG. 2 is a diagram illustrating an example of terminal connection information stored in the configuration information storage device according to the first embodiment.
  • FIG. 3 is a diagram illustrating an example of terminal state information stored in the configuration information storage device according to the first embodiment.
  • FIG. 4 is a diagram for explaining the process of specifying the state of the terminal in the specifying apparatus according to the first embodiment.
  • FIG. 5 is a diagram for explaining a process for identifying a terminal suspected of being infected and a candidate for an infected terminal in the identifying apparatus according to the first embodiment.
  • FIG. 6 is a diagram for explaining how to deal with a terminal whose infection is confirmed in the attack countermeasure apparatus according to the first embodiment.
  • FIG. 1 is a diagram illustrating an example of a configuration of a specific system according to the first embodiment.
  • FIG. 2 is a diagram illustrating an example of terminal connection information stored in the configuration information storage device according to
  • FIG. 7 is a diagram for explaining a process for identifying a terminal suspected of being infected and a candidate for an infected terminal in the identifying apparatus according to the first embodiment.
  • FIG. 8 is a diagram for explaining how to deal with a terminal having a high possibility of infection in the attack countermeasure apparatus according to the first embodiment.
  • FIG. 9 is a flowchart showing the flow of processing of the specific apparatus according to the first embodiment.
  • FIG. 10 is a sequence diagram showing a flow of processing of the specific system according to the first embodiment.
  • FIG. 11 is a diagram illustrating a computer that executes a specific program.
  • FIG. 1 is a diagram illustrating an example of a configuration of a specific system according to the first embodiment.
  • the identification system 1 includes a identification device 10 that identifies a terminal that is suspected of being infected or a terminal that may be infected in the future, a security device 20 that monitors communication, and a terminal 50A in the network.
  • Configuration information storage device 30 for storing information about 50E, attack countermeasure device 40 for monitoring and restricting communication, a plurality of terminals 50A to 50E, NW (Network) equipment 60 such as a firewall, router, switch, network It has the mail server 70 which provides a service.
  • NW Network equipment
  • the NW device 60 and the mail server 70 are connected to the Internet 80. Further, it is assumed that a network including a plurality of terminals 50A to 50E permits only communication necessary for business execution using a firewall ACL (Access Control List) or the like.
  • ACL Access Control List
  • FIG. 1 communication permitted by the firewall and logical communication of service connectivity (email, HTTP proxy, authentication system, etc.) are shown as device connection arrows.
  • the number of each apparatus and function shown in FIG. 1 is an example to the last, and is not restricted to this.
  • a plurality of terminals 50A to 50E are described without distinction, they are appropriately described as terminals 50.
  • the security device 20 monitors the communication of each of the terminals 50A to 50E and the NW device 60 in the network, and transmits detection information to the specific device 10 when detecting unauthorized communication or the like.
  • the detection information includes information on the terminal 50 that performed unauthorized communication, activity contents of the terminal 50, and the like.
  • the configuration information storage device 30 stores connection information indicating a connection relationship between terminals in the network.
  • the configuration information storage device 30 includes a “terminal name” indicating the name of the terminal, an “IP address” indicating the IP address of the terminal, and a “MAC address” indicating the MAC address of the terminal.
  • the “connection information” indicating the connection relationship between the terminals is stored in association with each other.
  • the configuration information storage device 30 includes a terminal name “terminal 1”, an IP address “10.1.1.1”, and a MAC address “70: 58: 12: 27: B7: 17”. And the connection information “mail server ⁇ terminal 1, terminal 1 ⁇ terminal 3” are stored in association with each other. This is because the IP address of the terminal 1 is “10.1.1.1”, the MAC address is “70: 58: 12: 27: B7: 17”, and the mail server 70 and the terminal 3 are connected. It means that there is.
  • the configuration information storage device 30 includes terminal status information indicating the status of the terminal 50 specified by the status specifying unit 11 described later, a terminal suspected of being infected specified by the infection specifying unit 12 described later, and the infected terminal. Memorize the candidates. For example, as illustrated in FIG. 3, the configuration information storage device 30 includes a “terminal name” indicating the name of the terminal, a “terminal status” indicating the terminal status, and a “suspicion of infection score” indicating the degree of suspected infection. And an “infection risk score” indicating the degree of risk of infection in association with each other.
  • the terminal status includes “suspected infection”, “infection”, “non-infection”, “infection spread candidate”, and “attacked”.
  • “Suspected infection” is a state in which there is a suspicion of infection.
  • “Infection” is a state in which infection is confirmed.
  • “Non-infectious” is an uninfected state.
  • the “infection extension candidate” is a state in which there is a possibility of infection in the future.
  • “Attacked” is a state of being attacked by an infected terminal or the like. It is assumed that the higher the value of the suspected infection score, the stronger the suspicion of infection, and the higher the value of the infection risk score, the higher the possibility of infection.
  • the configuration information storage device 30 sets the terminal name “terminal 1”, the terminal state “suspected infection”, the suspected infection score “0.33”, and the infection risk score “0.1”. Store in association with each other. This means that the current state of the terminal 1 is a suspected infection state, the suspected infection score is “0.33”, and the infection risk score is “0.1”.
  • terminal name “terminal 1” corresponds to the terminal 50A in FIG. 1
  • terminal name “terminal 2” corresponds to the terminal 50B in FIG. 1
  • terminal name “terminal 3” 1 corresponds to the terminal 50C in FIG. 1
  • terminal name “terminal 4” corresponds to the terminal 50D in FIG. 1
  • terminal name “terminal 5” corresponds to the terminal 50E in FIG.
  • attack countermeasure device 40 applies to an infected terminal specified by the state specifying unit 11 described later and a terminal having a high suspicion of infection among terminals suspected of being infected specified by the infection specifying unit 12 described later. , Block communication, monitor communication or restrict communication.
  • the identifying device 10 identifies the state of the terminal, and identifies a terminal that is suspected of being infected and a terminal that is likely to be infected in the future. As illustrated in FIG. 1, the specifying device 10 includes a state specifying unit 11 and an infection specifying unit 12.
  • the state specifying unit 11 receives detection information from the security device 20 that detects an activity related to unauthorized intrusion into the network or infection of the terminal 50, and based on the information on the terminal 50 and the activity content of the terminal included in the detection information.
  • the state of the terminal 50 is specified. For example, when the detection information is information related to communication, the state specifying unit 11 specifies the state of the terminal 50 corresponding to the transmission source address and the transmission destination address of the communication, and the detection information is information related to the terminal 50. In the case, the state of the terminal 50 is specified.
  • the state specifying unit 11 detects that the detection information “terminal 4” communicates with “terminal 5” and “terminal 4” attacks “terminal 5”.
  • the state of “terminal 4” corresponding to the transmission source address and “terminal 5” corresponding to the transmission destination address is specified as information related to communication.
  • the state specifying unit 11 specifies the state of “terminal 3” as information regarding the terminal 50. .
  • FIG. 4 is a diagram for explaining the process of specifying the state of the terminal in the specifying apparatus according to the first embodiment.
  • the numbers next to the terminals 50A to 50E are numerical examples of infection suspect scores and infection risk scores of the terminals.
  • the suspected infection numerical value is “0” in all the terminals 50.
  • the infection risk is set according to a certain rule in the terminal 50 having connectivity with the Internet 80.
  • “0.1” is added as a numerical value to a terminal that is directly connected to the Internet 80 and the infected terminal, but is not limited to this, and the numerical value is determined.
  • the method can be set arbitrarily.
  • the terminal 50C having the terminal name “terminal 3” is infected with malware, and C & C communication, which is communication performed with a server of an external network to control the infected terminal from the outside, is installed in the network.
  • C & C communication which is communication performed with a server of an external network to control the infected terminal from the outside.
  • the processing when the security device 20 detects will be described.
  • the state specifying unit 11 of the specifying device 10 determines the terminal 50 ⁇ / b> C based on the information that the terminal 3 included in the detection information received from the security device 20 has performed C & C communication with the outside. The state of is identified.
  • the state specifying unit 11 detects C & C communication of the terminal 3, it can be determined that the terminal 3 is infected with malware, so the state of the terminal 3 is specified as an infected state.
  • the infection suspicion score is set to “1.0”.
  • the infection specifying unit 12 is included in the detection information based on the connection information stored by the configuration information storage device 30.
  • the terminal 50 that is suspected of being infected before reaching the content of the activity of the terminal 50 to be identified is identified, and the infected terminal 50 can infect the terminal 50 that is located on a route that may be used for unauthorized intrusion or terminal infection in the future. To identify potential infected terminals.
  • the infection identification unit 12 identifies the terminal 50 included in the communication path that can be the infection path of the infected terminal identified by the state identification unit 11 as the terminal 50 that is suspected of being infected, and the number of communication paths that can be the infection path. And a numerical value indicating the degree of suspicion of infection for each terminal 50 suspected of infection based on the past terminal state.
  • the infection identification unit 12 may infect the terminal 50 that can be infected from the infected terminal using the connection information starting from the infected terminal identified by the state identification unit 11. Identified as a candidate.
  • FIG. 5 is a diagram for explaining a process for identifying a terminal suspected of being infected and a candidate for an infected terminal in the identifying apparatus according to the first embodiment.
  • the state identification unit 11 identifies the state of “terminal 3” as an infection state and the infection suspicion score is “1.0”.
  • the infection identification unit 12 of the identification device 10 first identifies the infection route of the terminal 3 using the connection information of the configuration information storage device 30 when the state of the “terminal 3” included in the detection information is identified. .
  • infection route candidates to the terminal 3 there are a total of three routes: an attack directly performed from the Internet 80 via the NW device 60, an attack via the terminal 1, or an attack via the terminal 2. Conceivable.
  • the infection suspect score to be added from the number “3” of communication routes that can be infection routes is set to “0.33 (1/3)” and added to the past infection suspect scores of the terminal 1 and the terminal 2 to
  • the infection suspicion score which is a numerical value indicating the degree of suspicion, is calculated.
  • the allocation of infection suspicion scores when there are multiple infection routes we explained the case of evenly allocating in units of routes, but weighted allocation using statistical information is also possible, and the numerical value determination method Is not limited to this.
  • the infection identification unit 12 identifies a candidate for the next infection spread destination terminal from the infected terminal and the terminal 50 suspected of being infected.
  • the terminal 5 that is connected to the terminal 3 can be infected starting from the terminal 3 that is the infected terminal, and the terminal 5 is identified as a candidate for the infection spread destination terminal and the infection risk score is “0. Add 1 ”.
  • the infection suspect score of the terminal 1 and the terminal 2 is “0.33”
  • the terminal 4 that can spread the infection from the terminal 2 is multiplied by “0.1” to “0.33”
  • the third decimal point The score “0.03” rounded down is added to the infection risk score.
  • the infection risk score of the terminal 4 is “0.13”.
  • FIG. 6 is a diagram for explaining how to deal with a terminal whose infection is confirmed in the attack countermeasure apparatus according to the first embodiment.
  • the attack countermeasure device 40 determines a countermeasure for the terminal 3 when the infection suspect score of the terminal 3 exceeds a first threshold (for example, “0.9”). As illustrated in FIG. 6, since the suspected infection score of the terminal 3 is “1.0” and exceeds the first threshold value, it is determined to deal with the terminal 3. In the example of FIG. 6, since the terminal 3 is a terminal for which infection has been confirmed, as the content of the countermeasure, the terminal 3 is isolated and communication related to the terminal 3 is blocked.
  • a first threshold for example, “0.9”.
  • FIG. 7 is a diagram for explaining a process for identifying a terminal suspected of being infected and a candidate for an infected terminal in the identifying apparatus according to the first embodiment.
  • FIG. 8 is a diagram for explaining how to deal with a terminal having a high possibility of infection in the attack countermeasure apparatus according to the first embodiment.
  • the state specifying unit 11 of the specifying device 10 specifies the states of the terminal 4 and the terminal 5 based on the detection information received from the security device 20 (attack from the terminal 4 to the terminal 5). To do.
  • the state of the terminal 4 is identified as an infectious state, and a suspected infection score “1.0” is added to the terminal 4, and the infection suspect score “1.0” of the terminal 4 is set.
  • the infection suspicion score to be added from the number “2” of communication paths that can be infection routes is set to “0.5 (1/2)”, and the infection suspicion score of the terminal 2 located on the infection route candidate is “0. 5 ”is added. As a result, the infection suspicion score of the terminal 2 is “0.83”.
  • the state of the terminal 5 is identified as the attacked state, and here, "0.5” is added to the infection suspect score, and the infection risk Add “1.0” to the score.
  • the infection suspicion score of the terminal 5 is “0.5”
  • the infection risk score is “1.1”.
  • the attack countermeasure device 40 performs communication monitoring and communication as a countermeasure for the terminal 2. Determine limits. As illustrated in FIG. 8, since the suspected infection score of the terminal 2 is “0.83” and exceeds the second threshold value, it is determined to deal with the terminal 2. In the example of FIG. 8, since the terminal 2 is a terminal that has a high possibility of being infected, the contents of countermeasures include communication monitoring and countermeasures for communication restriction. In this way, by performing communication monitoring and communication restriction on a terminal that is highly likely to be infected, the spread of infection to a new terminal 50 when the terminal 2 is infected, and from the terminal 2 External C & C communication connection and the like can be prevented.
  • the second threshold for example, “0.7”
  • the specific device 10 every time the security device 20 detects an attack, as described above, the specific device 10 performs a process of specifying a terminal that is suspected of being infected or a terminal that is likely to be infected in the future.
  • the candidate of the suspected infection terminal is identified, and the infected terminal other than the detected terminal is identified and calculated by, for example, accumulating the number of times the candidate terminal has become a candidate and the information quantifying the suspected infection.
  • infection it is possible to expand the invasion and reduce the occurrence of damage.
  • FIG. 9 is a flowchart showing the flow of processing of the specific apparatus according to the first embodiment.
  • the state specifying unit 11 of the specifying device 10 receives the detection information from the security device 20 (Yes in Step S101), the state specifying unit 11 determines the information from the information on the terminal 50 and the activity content of the terminal included in the detection information. The state of the terminal 50 is specified (step S102).
  • the infection specifying unit 12 of the specifying device 10 refers to the connection information stored in the configuration information storage device 30 when the state specifying unit 11 specifies that the state of the terminal 50 is infected with malware. Then, it is determined whether there is a terminal connected to the infected terminal (step S103).
  • the infection identification unit 12 of the identification device 10 determines that there is no terminal connected to the infected terminal (No at Step S103)
  • the infection identification unit 12 updates the state information of the terminal in the configuration information storage device 30. (Step S105), the process ends.
  • each terminal 50 connected to the infected terminal reaches the infected terminal.
  • the terminal 50 on the route is identified as the suspected infection terminal, and the terminal located ahead of the infected terminal is identified as the infection candidate terminal (step S104).
  • the state information of the terminal of the configuration information storage device 30 is updated (step S105), and the process ends.
  • FIG. 10 is a sequence diagram showing a flow of processing of the specific system according to the first embodiment.
  • the security device 20 when the security device 20 detects unauthorized communication or the like (step S201), the security device 20 transmits detection information to the specific device 10 (step S202).
  • the specifying device 10 specifies the state of the terminal 50 using the detection information (step S203). Specifically, the specifying device 10 specifies the state of the terminal 50 from the information of the terminal 50 included in the detection information and the activity content of the terminal.
  • the specific apparatus 10 requests
  • the identifying device 10 refers to the requested connection information (step S205), and for each terminal 50 connected to the infected terminal, identifies the terminal 50 on the path leading to the infected terminal as a suspected terminal, A terminal located ahead of the infected terminal is identified as an infection candidate terminal (step S206). Thereafter, the identification device 10 updates the state information of the terminal in the configuration information storage device 30 (step S207) and ends the process.
  • the specific device 10 receives the detection information from the security device 20 that detects the activity related to the unauthorized intrusion into the network or the infection of the terminal 50, and the terminal included in the detection information
  • the state of the terminal 50 is specified from the information of 50 and the activity content of the terminal 50.
  • the specifying device 10 uses the connection information stored in the configuration information storage device 30 as detection information.
  • the terminal 50 that is suspected of being infected before reaching the activity content of the included terminal 50 is identified, and the infected terminal 50 infects the terminal 50 that is located on a route that may be used for unauthorized intrusion or terminal infection in the future. Identify potential infected terminal candidates. For this reason, it is possible not only to detect an infected terminal, but also to identify a terminal that is suspected of being infected or an infected terminal that may be infected in the future.
  • the specific device 10 when the specific device 10 detects an event related to a target-type attack or an APT attack, the specific device 10 is not only a detected terminal, but also a candidate for a terminal that is a route to the detected terminal or an intrusion / infection destination terminal It is possible to identify such terminals, and it is possible to take measures such as strengthening monitoring of these terminals, restricting communication, and blocking communication.
  • each component of each illustrated apparatus is functionally conceptual, and does not necessarily need to be physically configured as illustrated.
  • the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured.
  • the functions of the state specifying unit 11 and the infection specifying unit 12 of the specifying device 10 different devices may have the respective functions.
  • the specific device 10 may store information in the configuration information storage device 30 or may have the function of the attack countermeasure device 40.
  • all or any part of each processing function performed in each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.
  • the specifying device 10 can be implemented by installing a specific program for executing the above specific processing as package software or online software on a desired computer.
  • the information processing apparatus can be caused to function as the specific apparatus 10 by causing the information processing apparatus to execute the above specific program.
  • the information processing apparatus referred to here includes, for example, a desktop or notebook personal computer.
  • a terminal device used by a user can be used as a client, and the client can be implemented as a server device that provides services related to the specific processing to the client.
  • the identification device 10 is implemented as a server device that not only detects an infected terminal, but also provides a processing service that identifies a terminal that is suspected of being infected or a candidate for an infected terminal that may be infected in the future.
  • the specific device 10 may be implemented as a Web server, or may be implemented as a cloud that provides a service related to the above specific processing by outsourcing.
  • FIG. 11 is a diagram illustrating a computer that executes a specific program.
  • the computer 1000 includes, for example, a memory 1010 and a CPU (Central Processing Unit) 1020.
  • the computer 1000 also includes a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These units are connected by a bus 1080.
  • the memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012.
  • the ROM 1011 stores a boot program such as BIOS (Basic Input Output System).
  • BIOS Basic Input Output System
  • the hard disk drive interface 1030 is connected to the hard disk drive 1031.
  • the disk drive interface 1040 is connected to the disk drive 1041.
  • a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1041.
  • the serial port interface 1050 is connected to a mouse 1051 and a keyboard 1052, for example.
  • the video adapter 1060 is connected to the display 1061, for example.
  • the hard disk drive 1031 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. That is, a program that defines each process of the specific device 10 is implemented as a program module 1093 in which a code executable by a computer is described.
  • the program module 1093 is stored in the hard disk drive 1031, for example.
  • a program module 1093 for executing processing similar to the functional configuration in the specific device 10 is stored in the hard disk drive 1031.
  • the hard disk drive 1031 may be replaced by an SSD (Solid State Drive).
  • the setting data used in the processing of the above-described embodiment is stored as program data 1094 in, for example, the memory 1010 or the hard disk drive 1031. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the memory 1010 and the hard disk drive 1031 to the RAM 1012 as necessary, and executes them.
  • the program module 1093 and the program data 1094 are not limited to being stored in the hard disk drive 1031, but may be stored in, for example, a removable storage medium and read out by the CPU 1020 via the disk drive 1041 or the like. Alternatively, the program module 1093 and the program data 1094 may be stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.). Then, the program module 1093 and the program data 1094 may be read by the CPU 1020 from another computer via the network interface 1070.
  • LAN Local Area Network
  • WAN Wide Area Network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Mining & Analysis (AREA)
  • Mathematical Physics (AREA)
  • Mathematical Analysis (AREA)
  • Computational Mathematics (AREA)
  • Mathematical Optimization (AREA)
  • Algebra (AREA)
  • Pure & Applied Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

An identification device (10) receives detection information from a security device (20) which detects activity relating to an illegal intrusion into a network or an infection of a terminal (50), and identifies the state of the terminal (50) from the activity of the terminal (50) and terminal (50) information included in the detection information. If the state of a terminal (50) is identified by a state identification unit (11) as being a malware-infected state, the identification device (10) identifies, on the basis of connection information stored by a configuration information storage device (30), a terminal (50) suspected of having been infected up to the terminal (50) activity included in the detection information, and identifies, as an infected terminal candidate which might be infected, a terminal (50) positioned on a path the infected terminal might use in a future illegal intrusion or terminal infection.

Description

特定システム、特定装置および特定方法SPECIFIC SYSTEM, SPECIFIC DEVICE, AND SPECIFIC METHOD

 本発明は、特定システム、特定装置および特定方法に関する。 The present invention relates to a specific system, a specific device, and a specific method.

 従来、マルウェアと呼ばれる、コンピュータウィルス、スパイウェア、ボット等の不正かつ有害な動作を行う意図で作成された悪意のソフトウェアやプログラムコード等の不正なソフトウェアの存在が知られている。 Conventionally, the existence of malicious software such as malicious software and program code created with the intention of performing illegal and harmful operations such as computer viruses, spyware, and bots, known as malware, is known.

 例えば、このようなマルウェアによる標的型攻撃やAPT(Advanced Persistent Threat)攻撃の伝播経路候補を算出するための技術として、Attack Graphが存在する。Attack Graphは、ネットワークシステム構成、端末のOS・アプリケーション情報を収集し、外部攻撃者の侵入経路候補を静的に算出する事で、ネットワークの脅威を評価する技術である。 For example, there is Attack Graph as a technique for calculating propagation path candidates for such targeted attacks by malware and APT (Advanced Persistent Threat) attacks. Attack Graph is a technology that evaluates network threats by collecting network system configuration, terminal OS / application information, and statically calculating intrusion route candidates of external attackers.

Subil Abraham, Suku Nair, “A Predictive Framework for Cyber Security Analytics using Attack Graphs”, IJCNC 2015.Subil Abraham, Suku Nair, “A Predictive Framework for Cyber Security Analytics using Attack Graphs”, IJCNC 2015.

 しかしながら、従来の技術では、感染の疑いがある端末や今後感染する可能性がある感染端末の候補を適切に特定することができないという課題があった。例えば、標的型攻撃やAPT攻撃では、不正侵入されたもしくはマルウェアに感染した端末を介して、同一ネットワークシステム内の複数の端末への侵入または感染を拡大するという特徴があり、セキュリティ装置の検知した感染端末に対して、遮断等の対処を行っても、検知されていない他の感染端末が存在した場合、当該端末を介し、攻撃が継続される。このような場合に、従来の技術では、検知した端末への経路上にある感染の疑いがある端末や今後感染する可能性がある感染端末の候補を適切に特定することができなかった。 However, the conventional technology has a problem in that it is impossible to appropriately identify a terminal that is suspected of being infected or an infected terminal that may be infected in the future. For example, targeted attacks and APT attacks have the feature of expanding intrusion or infection to multiple terminals in the same network system via unauthorized intrusion or malware-infected terminals, which are detected by security devices Even if a countermeasure such as blocking is performed on the infected terminal, if there is another undetected infected terminal, the attack is continued through the terminal. In such a case, according to the conventional technology, it is impossible to appropriately identify a terminal that is suspected of being infected on the path to the detected terminal or an infected terminal that may be infected in the future.

 上述した課題を解決し、目的を達成するために、本発明の特定システムは、ネットワーク内の端末に関する情報を記憶する構成情報記憶装置と、前記端末の状態を特定する特定装置とを有する特定システムであって、前記構成情報記憶装置は、前記ネットワーク内における端末同士の接続関係を示す接続情報を記憶し、前記特定装置は、前記ネットワーク内への不正侵入または端末の感染に関する活動を検知するセキュリティ装置から検知情報を受信し、該検知情報に含まれる端末の情報および該端末の活動内容から当該端末の状態を特定する状態特定部と、前記状態特定部によって前記端末の状態がマルウェアに感染した状態であると特定された場合には、前記構成情報記憶装置によって記憶された接続情報に基づいて、前記検知情報に含まれる端末の活動内容に至るまでに感染した疑いがある端末を特定し、感染した端末が今後不正侵入または端末の感染に用いる可能性がある経路上に位置する端末を感染する可能性がある感染端末の候補と特定する感染特定部とを有することを特徴とする。 In order to solve the above-described problems and achieve the object, a specification system of the present invention includes a configuration information storage device that stores information about a terminal in a network, and a specification device that specifies a state of the terminal. The configuration information storage device stores connection information indicating a connection relationship between terminals in the network, and the specific device detects security related to unauthorized intrusion into the network or terminal infection. The detection information is received from the device, the state specifying unit for specifying the state of the terminal from the information of the terminal included in the detection information and the activity content of the terminal, and the state of the terminal is infected with malware by the state specifying unit If it is identified as a state, the detection information is included in the detection information based on the connection information stored by the configuration information storage device. It is possible to identify a terminal that is suspected of being infected before reaching the contents of the terminal activity, and the infected terminal may infect a terminal located on a route that may be used for unauthorized intrusion or terminal infection in the future. It has the infection specific part to identify with the candidate of an infected terminal, It is characterized by the above-mentioned.

 また、本発明の特定装置は、複数の端末を含むネットワーク内への不正侵入または端末の感染に関する活動を検知するセキュリティ装置から検知に関する検知情報を受信し、該検知情報に含まれる端末の情報および該端末の活動内容から当該端末の状態を特定する状態特定部と、前記状態特定部によって前記端末の状態がマルウェアに感染した状態であると特定された場合には、ネットワーク内の端末同士の接続関係を示す接続情報に基づいて、前記検知情報に含まれる端末の活動内容に至るまでに感染した疑いがある端末を特定し、感染した端末が今後不正侵入または端末の感染に用いる可能性がある経路上に位置する端末を感染する可能性がある感染端末の候補と特定する感染特定部とを有することを特徴とする。 In addition, the specific device of the present invention receives detection information related to detection from a security device that detects activity related to unauthorized intrusion into a network including a plurality of terminals or infection of the terminals, and information on the terminals included in the detection information and When the state specifying unit that specifies the state of the terminal from the activity content of the terminal and the state specifying unit specifies that the state of the terminal is infected with malware, connection between terminals in the network Based on the connection information indicating the relationship, a terminal that is suspected of being infected before reaching the terminal activity content included in the detection information is identified, and the infected terminal may be used for unauthorized intrusion or terminal infection in the future. It is characterized by having an infection specifying unit for specifying a candidate for an infected terminal that may infect a terminal located on the route.

 また、本発明の特定方法は、特定装置によって実行される特定方法であって、複数の端末を含むネットワーク内への不正侵入または端末の感染に関する活動を検知するセキュリティ装置から検知に関する検知情報を受信し、該検知情報に含まれる端末の情報および該端末の活動内容から当該端末の状態を特定する状態特定工程と、前記状態特定工程によって前記端末の状態がマルウェアに感染した状態であると特定された場合には、ネットワーク内の端末同士の接続関係を示す接続情報に基づいて、前記検知情報に含まれる端末の活動内容に至るまでに感染した疑いがある端末を特定し、感染した端末が今後不正侵入または端末の感染に用いる可能性がある経路上に位置する端末を感染する可能性がある感染端末の候補と特定する感染特定工程とを含んだことを特徴とする。 The identification method of the present invention is a identification method executed by the identification device, and receives detection information related to detection from a security device that detects activities related to unauthorized intrusion into a network including a plurality of terminals or terminal infection. Then, a state specifying step for specifying the state of the terminal from the information on the terminal included in the detection information and the activity content of the terminal, and the state specifying step is specified as a state in which the terminal is infected with malware. In such a case, based on the connection information indicating the connection relationship between the terminals in the network, the terminal that is suspected of being infected before reaching the activity content of the terminal included in the detection information is identified. Infection identification that identifies a candidate for an infected terminal that may infect a terminal located on a route that may be used for unauthorized intrusion or terminal infection Characterized in that it contains a degree.

 本発明によれば、感染の疑いがある端末や今後感染する可能性がある感染端末の候補を適切に特定することが可能であるという効果を奏する。 According to the present invention, there is an effect that it is possible to appropriately identify a terminal that is suspected of being infected and a candidate for an infected terminal that may be infected in the future.

図1は、第一の実施の形態に係る特定システムの構成の一例を示す図である。FIG. 1 is a diagram illustrating an example of a configuration of a specific system according to the first embodiment. 図2は、第一の実施の形態に係る構成情報記憶装置が記憶する端末の接続情報の一例を示す図である。FIG. 2 is a diagram illustrating an example of terminal connection information stored in the configuration information storage device according to the first embodiment. 図3は、第一の実施の形態に係る構成情報記憶装置が記憶する端末の状態情報の一例を示す図である。FIG. 3 is a diagram illustrating an example of terminal state information stored in the configuration information storage device according to the first embodiment. 図4は、第一の実施の形態に係る特定装置において端末の状態を特定する処理を説明する図である。FIG. 4 is a diagram for explaining the process of specifying the state of the terminal in the specifying apparatus according to the first embodiment. 図5は、第一の実施の形態に係る特定装置において感染の疑いがある端末および感染端末の候補を特定する処理を説明する図である。FIG. 5 is a diagram for explaining a process for identifying a terminal suspected of being infected and a candidate for an infected terminal in the identifying apparatus according to the first embodiment. 図6は、第一の実施の形態に係る攻撃対処装置において感染が確定した端末に対する対処を説明する図である。FIG. 6 is a diagram for explaining how to deal with a terminal whose infection is confirmed in the attack countermeasure apparatus according to the first embodiment. 図7は、第一の実施の形態に係る特定装置において感染の疑いがある端末および感染端末の候補を特定する処理を説明する図である。FIG. 7 is a diagram for explaining a process for identifying a terminal suspected of being infected and a candidate for an infected terminal in the identifying apparatus according to the first embodiment. 図8は、第一の実施の形態に係る攻撃対処装置において感染の可能性が高い端末に対する対処を説明する図である。FIG. 8 is a diagram for explaining how to deal with a terminal having a high possibility of infection in the attack countermeasure apparatus according to the first embodiment. 図9は、第一の実施の形態に係る特定装置の処理の流れを示すフローチャートである。FIG. 9 is a flowchart showing the flow of processing of the specific apparatus according to the first embodiment. 図10は、第一の実施の形態に係る特定システムの処理の流れを示すシーケンス図である。FIG. 10 is a sequence diagram showing a flow of processing of the specific system according to the first embodiment. 図11は、特定プログラムを実行するコンピュータを示す図である。FIG. 11 is a diagram illustrating a computer that executes a specific program.

 以下に、本願に係る特定システム、特定装置および特定方法の実施形態を図面に基づいて詳細に説明する。なお、この実施形態により本願に係る特定システム、特定装置および特定方法が限定されるものではない。 Hereinafter, embodiments of a specific system, a specific device, and a specific method according to the present application will be described in detail with reference to the drawings. In addition, the specific system, specific apparatus, and specific method which concern on this application are not limited by this embodiment.

[第一の実施の形態]
 以下の実施の形態では、第一の実施の形態に係る特定システムの構成、特定装置および特定システムの処理の流れを順に説明し、最後に第一の実施の形態による効果を説明する。 [First embodiment]
In the following embodiments, the configuration of the specific system, the specific device, and the processing flow of the specific system according to the first embodiment will be described in order, and finally the effects of the first embodiment will be described.

[特定システムの構成]
 図1は、第一の実施の形態に係る特定システムの構成の一例を示す図である。第一の実施の形態に係る特定システム1は、感染の疑いがある端末や今後感染する可能性のある端末の候補を特定する特定装置10、通信を監視するセキュリティ装置20、ネットワーク内の端末50A~50Eに関する情報を記憶する構成情報記憶装置30、通信の監視や通信の制限を行う攻撃対処装置40、複数の端末50A~50E、ファイヤーウォール、ルーター、スイッチ等のNW(Network)機器60、ネットワークサービスを提供するメールサーバ70を有する。 [Specific system configuration]
FIG. 1 is a diagram illustrating an example of a configuration of a specific system according to the first embodiment. The identification system 1 according to the first embodiment includes a identification device 10 that identifies a terminal that is suspected of being infected or a terminal that may be infected in the future, a security device 20 that monitors communication, and a terminal 50A in the network. Configuration information storage device 30 for storing information about 50E, attack countermeasure device 40 for monitoring and restricting communication, a plurality of terminals 50A to 50E, NW (Network) equipment 60 such as a firewall, router, switch, network It has the mail server 70 which provides a service.

 また、NW機器60およびメールサーバ70は、インターネット80と接続されている。また、複数の端末50A~50Eを含むネットワークは、ファイヤーウォールのACL(Access Control List)等を用いて業務遂行に必要な通信のみを許可しているものとする。図1では、ファイヤーウォールにより許可されている通信および、サービスの接続性(メール、HTTP Proxy、認証システム等)の論理的通信を機器接続の矢印として示す。なお、図1に示す各装置や機能の数は、あくまで一例であり、これに限られるものではない。また、複数の端末50A~50Eについて、特に区別なく説明する場合には、適宜端末50と記載する。 Further, the NW device 60 and the mail server 70 are connected to the Internet 80. Further, it is assumed that a network including a plurality of terminals 50A to 50E permits only communication necessary for business execution using a firewall ACL (Access Control List) or the like. In FIG. 1, communication permitted by the firewall and logical communication of service connectivity (email, HTTP proxy, authentication system, etc.) are shown as device connection arrows. In addition, the number of each apparatus and function shown in FIG. 1 is an example to the last, and is not restricted to this. In addition, when a plurality of terminals 50A to 50E are described without distinction, they are appropriately described as terminals 50.

 セキュリティ装置20は、ネットワーク内における各端末50A~50EやNW機器60の通信を監視し、不正通信等を検知した場合には、検知情報を特定装置10に送信する。検知情報には、不正通信を行った端末50の情報や端末50の活動内容等が含まれている。 The security device 20 monitors the communication of each of the terminals 50A to 50E and the NW device 60 in the network, and transmits detection information to the specific device 10 when detecting unauthorized communication or the like. The detection information includes information on the terminal 50 that performed unauthorized communication, activity contents of the terminal 50, and the like.

 構成情報記憶装置30は、ネットワーク内における端末同士の接続関係を示す接続情報を記憶する。例えば、構成情報記憶装置30は、図2に例示するように、端末の名称を示す「端末名」と、端末のIPアドレスを示す「IPアドレス」と端末のMACアドレスを示す「MACアドレス」と端末同士の接続関係を示す「接続情報」とを対応付けて記憶する。 The configuration information storage device 30 stores connection information indicating a connection relationship between terminals in the network. For example, as illustrated in FIG. 2, the configuration information storage device 30 includes a “terminal name” indicating the name of the terminal, an “IP address” indicating the IP address of the terminal, and a “MAC address” indicating the MAC address of the terminal. The “connection information” indicating the connection relationship between the terminals is stored in association with each other.

 図2の例を挙げて説明すると、構成情報記憶装置30は、端末名「端末1」とIPアドレス「10.1.1.1」とMACアドレス「70:58:12:27:B7:17」と接続情報「メールサーバ→端末1、端末1→端末3」とを対応付けて記憶する。これは、端末1のIPアドレスが「10.1.1.1」であり、MACアドレス「70:58:12:27:B7:17」であって、メールサーバ70と端末3と接続関係にあることを意味する。 2, the configuration information storage device 30 includes a terminal name “terminal 1”, an IP address “10.1.1.1”, and a MAC address “70: 58: 12: 27: B7: 17”. And the connection information “mail server → terminal 1, terminal 1 → terminal 3” are stored in association with each other. This is because the IP address of the terminal 1 is “10.1.1.1”, the MAC address is “70: 58: 12: 27: B7: 17”, and the mail server 70 and the terminal 3 are connected. It means that there is.

 また、構成情報記憶装置30は、後述する状態特定部11によって特定された端末50の状態を示す端末の状態情報、後述する感染特定部12によって特定された感染の疑いがある端末および感染端末の候補を記憶する。例えば、構成情報記憶装置30は、図3に例示するように、端末の名称を示す「端末名」と、端末の状態を示す「端末状態」と、感染の疑いの度合いを示す「感染疑いスコア」と、感染するリスクの度合いを示す「感染リスクスコア」とを対応付けて記憶する。 Further, the configuration information storage device 30 includes terminal status information indicating the status of the terminal 50 specified by the status specifying unit 11 described later, a terminal suspected of being infected specified by the infection specifying unit 12 described later, and the infected terminal. Memorize the candidates. For example, as illustrated in FIG. 3, the configuration information storage device 30 includes a “terminal name” indicating the name of the terminal, a “terminal status” indicating the terminal status, and a “suspicion of infection score” indicating the degree of suspected infection. And an “infection risk score” indicating the degree of risk of infection in association with each other.

 ここで、端末状態には、「感染疑い」、「感染」、「非感染」、「感染拡大候補」、「被攻撃」がある。「感染疑い」は、感染の疑いがある状態である。「感染」は、感染が確定した状態である。「非感染」は、感染していない状態である。「感染拡大候補」は、今後感染する可能性がある状態である。「被攻撃」は、感染した端末等から攻撃を受けた状態である。なお、感染疑いスコアは、数値が高いほど感染の疑いが強く、また、感染リスクスコアは、数値が高いほど今後感染する可能性が高いものとする。 Here, the terminal status includes “suspected infection”, “infection”, “non-infection”, “infection spread candidate”, and “attacked”. “Suspected infection” is a state in which there is a suspicion of infection. “Infection” is a state in which infection is confirmed. “Non-infectious” is an uninfected state. The “infection extension candidate” is a state in which there is a possibility of infection in the future. “Attacked” is a state of being attacked by an infected terminal or the like. It is assumed that the higher the value of the suspected infection score, the stronger the suspicion of infection, and the higher the value of the infection risk score, the higher the possibility of infection.

 図3の例を挙げて説明すると、構成情報記憶装置30は、端末名「端末1」と端末状態「感染疑い」と感染疑いスコア「0.33」と感染リスクスコア「0.1」とを対応付けて記憶する。これは、端末1の現在の状態が感染の疑いがある状態であり、感染疑いスコアが「0.33」であり、感染リスクスコアが「0.1」であることを意味する。 Referring to the example of FIG. 3, the configuration information storage device 30 sets the terminal name “terminal 1”, the terminal state “suspected infection”, the suspected infection score “0.33”, and the infection risk score “0.1”. Store in association with each other. This means that the current state of the terminal 1 is a suspected infection state, the suspected infection score is “0.33”, and the infection risk score is “0.1”.

 なお、ここでは、端末名「端末1」は、図1における端末50Aに対応しており、端末名「端末2」は、図1における端末50Bに対応しており、端末名「端末3」は、図1における端末50Cに対応しており、端末名「端末4」は、図1における端末50Dに対応しており、端末名「端末5」は、図1における端末50Eに対応しているものとする。 Here, the terminal name “terminal 1” corresponds to the terminal 50A in FIG. 1, the terminal name “terminal 2” corresponds to the terminal 50B in FIG. 1, and the terminal name “terminal 3” 1 corresponds to the terminal 50C in FIG. 1, the terminal name “terminal 4” corresponds to the terminal 50D in FIG. 1, and the terminal name “terminal 5” corresponds to the terminal 50E in FIG. And

 また、攻撃対処装置40は、後述する状態特定部11によって特定された感染端末と、後述する感染特定部12によって特定された感染の疑いがある端末のうち感染の疑いが高い端末とに対して、通信の遮断、通信の監視または通信の制限を行う。 Further, the attack countermeasure device 40 applies to an infected terminal specified by the state specifying unit 11 described later and a terminal having a high suspicion of infection among terminals suspected of being infected specified by the infection specifying unit 12 described later. , Block communication, monitor communication or restrict communication.

 特定装置10は、端末の状態を特定するとともに、感染の疑いがある端末および今後感染する可能性のある端末の候補を特定する。図1に示すように、特定装置10は、状態特定部11および感染特定部12を有する。 The identifying device 10 identifies the state of the terminal, and identifies a terminal that is suspected of being infected and a terminal that is likely to be infected in the future. As illustrated in FIG. 1, the specifying device 10 includes a state specifying unit 11 and an infection specifying unit 12.

 状態特定部11は、ネットワーク内への不正侵入または端末50の感染に関する活動を検知するセキュリティ装置20から検知情報を受信し、該検知情報に含まれる端末50の情報および該端末の活動内容から当該端末50の状態を特定する。例えば、状態特定部11は、検知情報が通信に関する情報である場合には、該通信の送信元アドレスおよび送信先アドレスに対応する端末50の状態を特定し、検知情報が端末50に関する情報である場合には、該端末50の状態を特定する。 The state specifying unit 11 receives detection information from the security device 20 that detects an activity related to unauthorized intrusion into the network or infection of the terminal 50, and based on the information on the terminal 50 and the activity content of the terminal included in the detection information. The state of the terminal 50 is specified. For example, when the detection information is information related to communication, the state specifying unit 11 specifies the state of the terminal 50 corresponding to the transmission source address and the transmission destination address of the communication, and the detection information is information related to the terminal 50. In the case, the state of the terminal 50 is specified.

 具体的な例を挙げて説明すると、状態特定部11は、例えば、検知情報が「端末4」が「端末5」と通信を行うことによって「端末4」が「端末5」へ攻撃を行った旨の情報である場合には、通信に関する情報である場合として、該通信の送信元アドレスに対応する「端末4」と送信先アドレスに対応する「端末5」の状態を特定する。また、状態特定部11は、例えば、検知情報が、「端末3」がマルウェアに感染した旨の情報である場合には、端末50に関する情報である場合として、「端末3」の状態を特定する。 For example, the state specifying unit 11 detects that the detection information “terminal 4” communicates with “terminal 5” and “terminal 4” attacks “terminal 5”. In the case of the information to the effect, the state of “terminal 4” corresponding to the transmission source address and “terminal 5” corresponding to the transmission destination address is specified as information related to communication. In addition, for example, when the detection information is information indicating that “terminal 3” is infected with malware, the state specifying unit 11 specifies the state of “terminal 3” as information regarding the terminal 50. .

 ここで、図4の例を用いて、特定装置10において端末の状態を特定する処理を説明する。図4は、第一の実施の形態に係る特定装置において端末の状態を特定する処理を説明する図である。なお、図4において、各端末50A~50Eの横の数字は当該端末の感染疑いスコアおよび感染リスクスコアの数値例である。攻撃を受けていない状態では、感染疑い数値は全ての端末50において「0」である。また、感染リスクについてはインターネット80との接続性のある端末50に一定のルールにより設定する。図4の例では、数値は、インターネット80および感染端末と直接的な接続性のある端末に対して「0.1」を付加しているが、これに限定されるものではなく、数値の決定方法は任意に設定可能である。 Here, the process of specifying the state of the terminal in the specifying device 10 will be described using the example of FIG. FIG. 4 is a diagram for explaining the process of specifying the state of the terminal in the specifying apparatus according to the first embodiment. In FIG. 4, the numbers next to the terminals 50A to 50E are numerical examples of infection suspect scores and infection risk scores of the terminals. In a state where there is no attack, the suspected infection numerical value is “0” in all the terminals 50. Further, the infection risk is set according to a certain rule in the terminal 50 having connectivity with the Internet 80. In the example of FIG. 4, “0.1” is added as a numerical value to a terminal that is directly connected to the Internet 80 and the infected terminal, but is not limited to this, and the numerical value is determined. The method can be set arbitrarily.

 図4の例では、端末の名称「端末3」である端末50Cがマルウェアに感染し、感染端末を外部から制御するために外部ネットワークのサーバと行われる通信であるC&C通信をネットワーク内に設置されたセキュリティ装置20が検知した場合の処理を説明する。図4に例示するように、特定装置10の状態特定部11は、セキュリティ装置20から受信した検知情報に含まれる端末3が外部とのC&C通信を行った旨の情報をもとに、端末50Cの状態を特定する。ここで、状態特定部11は、端末3のC&C通信を検知した場合には、端末3がマルウェアに感染していることが確定であると判断可能なため、端末3の状態を感染状態と特定し、感染疑いスコアを「1.0」とする。 In the example of FIG. 4, the terminal 50C having the terminal name “terminal 3” is infected with malware, and C & C communication, which is communication performed with a server of an external network to control the infected terminal from the outside, is installed in the network. The processing when the security device 20 detects will be described. As illustrated in FIG. 4, the state specifying unit 11 of the specifying device 10 determines the terminal 50 </ b> C based on the information that the terminal 3 included in the detection information received from the security device 20 has performed C & C communication with the outside. The state of is identified. Here, when the state specifying unit 11 detects C & C communication of the terminal 3, it can be determined that the terminal 3 is infected with malware, so the state of the terminal 3 is specified as an infected state. The infection suspicion score is set to “1.0”.

 感染特定部12は、状態特定部11によって端末50の状態がマルウェアに感染した状態であると特定された場合には、構成情報記憶装置30によって記憶された接続情報に基づいて、検知情報に含まれる端末50の活動内容に至るまでに感染した疑いがある端末50を特定し、感染した端末50が今後不正侵入または端末の感染に用いる可能性がある経路上に位置する端末50を感染する可能性がある感染端末の候補と特定する。 If the state specifying unit 11 specifies that the state of the terminal 50 is infected with malware, the infection specifying unit 12 is included in the detection information based on the connection information stored by the configuration information storage device 30. The terminal 50 that is suspected of being infected before reaching the content of the activity of the terminal 50 to be identified is identified, and the infected terminal 50 can infect the terminal 50 that is located on a route that may be used for unauthorized intrusion or terminal infection in the future. To identify potential infected terminals.

 例えば、感染特定部12は、状態特定部11によって特定された感染端末の感染経路となりうる通信経路に含まれる端末50を感染の疑いがある端末50と特定し、感染経路となりうる通信経路の数と、過去の端末の状態とに基づいて、感染の疑いがある各端末50について、感染の疑いの度合いを示す数値を算出する。 For example, the infection identification unit 12 identifies the terminal 50 included in the communication path that can be the infection path of the infected terminal identified by the state identification unit 11 as the terminal 50 that is suspected of being infected, and the number of communication paths that can be the infection path. And a numerical value indicating the degree of suspicion of infection for each terminal 50 suspected of infection based on the past terminal state.

 また、例えば、感染特定部12は、状態特定部11によって特定された感染端末を起点に、接続情報を用いて、感染端末からの感染が可能である端末50を感染する可能性がある感染端末の候補と特定する。 In addition, for example, the infection identification unit 12 may infect the terminal 50 that can be infected from the infected terminal using the connection information starting from the infected terminal identified by the state identification unit 11. Identified as a candidate.

 ここで、図5の例を用いて、特定装置10において感染の疑いがある端末50および感染端末の候補を特定する処理を説明する。図5は、第一の実施の形態に係る特定装置において感染の疑いがある端末および感染端末の候補を特定する処理を説明する図である。図5の例では、状態特定部11により「端末3」の状態が感染状態と特定され、感染疑いスコアが「1.0」となったものとする。 Here, with reference to the example of FIG. 5, a description will be given of the process of identifying the terminal 50 that is suspected of being infected in the identifying apparatus 10 and the candidate for the infected terminal. FIG. 5 is a diagram for explaining a process for identifying a terminal suspected of being infected and a candidate for an infected terminal in the identifying apparatus according to the first embodiment. In the example of FIG. 5, it is assumed that the state identification unit 11 identifies the state of “terminal 3” as an infection state and the infection suspicion score is “1.0”.

 特定装置10の感染特定部12は、検知情報に含まれる「端末3」の状態が特定された場合に、構成情報記憶装置30の接続情報を用いて、まず端末3の感染経路の特定を行う。図5の例では、端末3への感染経路候補として、インターネット80よりNW機器60を介して直接行われた攻撃、端末1を介した攻撃または端末2を介した攻撃の合計3通りの経路が考えられる。 The infection identification unit 12 of the identification device 10 first identifies the infection route of the terminal 3 using the connection information of the configuration information storage device 30 when the state of the “terminal 3” included in the detection information is identified. . In the example of FIG. 5, as infection route candidates to the terminal 3, there are a total of three routes: an attack directly performed from the Internet 80 via the NW device 60, an attack via the terminal 1, or an attack via the terminal 2. Conceivable.

 このため、感染経路となりうる通信経路の数「3」から加算する感染疑いスコアを「0.33(1/3)」とし、端末1および端末2の過去の感染疑いスコアに加算して、感染の疑いの度合いを示す数値である感染疑いスコアを算出する。なお、感染経路が複数存在する場合の感染疑いスコアの割り振りについては、経路単位で均等に配分する場合を説明したが、統計情報を用いた重みを付けた割り振りも可能であり、数値の決定方法はこれに限定されるものではない。 Therefore, the infection suspect score to be added from the number “3” of communication routes that can be infection routes is set to “0.33 (1/3)” and added to the past infection suspect scores of the terminal 1 and the terminal 2 to The infection suspicion score, which is a numerical value indicating the degree of suspicion, is calculated. In addition, regarding the allocation of infection suspicion scores when there are multiple infection routes, we explained the case of evenly allocating in units of routes, but weighted allocation using statistical information is also possible, and the numerical value determination method Is not limited to this.

 次に、感染特定部12は、感染端末および感染と疑われる端末50から、次の感染拡大先端末の候補を特定する。図5の例では、感染端末である端末3を起点に、端末3と接続する端末5が感染可能であり、端末5を感染拡大先端末の候補と特定するとともに、感染リスクスコアに「0.1」を加算する。また、端末1および端末2の感染疑いスコアが「0.33」であり、端末2から感染拡大可能な端末4に対して「0.33」に「0.1」を乗算し、小数点第3位以下を切り捨てたスコア「0.03」を感染リスクスコアに加算する。 Next, the infection identification unit 12 identifies a candidate for the next infection spread destination terminal from the infected terminal and the terminal 50 suspected of being infected. In the example of FIG. 5, the terminal 5 that is connected to the terminal 3 can be infected starting from the terminal 3 that is the infected terminal, and the terminal 5 is identified as a candidate for the infection spread destination terminal and the infection risk score is “0. Add 1 ”. Further, the infection suspect score of the terminal 1 and the terminal 2 is “0.33”, and the terminal 4 that can spread the infection from the terminal 2 is multiplied by “0.1” to “0.33”, and the third decimal point The score “0.03” rounded down is added to the infection risk score.

 この結果、図5に例示するように、端末4の感染リスクスコアが「0.13」となる。このように、感染特定部12は、端末の状態が変化したり、感染疑いスコアや感染リスクスコアが変化したりした場合には、構成情報記憶装置30に記憶された端末の状態情報と、感染疑いスコアおよび感染リスクスコアとを更新する。 As a result, as illustrated in FIG. 5, the infection risk score of the terminal 4 is “0.13”. As described above, when the terminal state changes or the infection suspect score or the infection risk score changes, the infection identification unit 12 and the terminal state information stored in the configuration information storage device 30 and the infection Update the suspicion score and infection risk score.

 次に、図6を用いて、攻撃対処装置40において感染が確定した端末に対する対処を説明する。図6は、第一の実施の形態に係る攻撃対処装置において感染が確定した端末に対する対処を説明する図である。攻撃対処装置40は、端末3の感染疑いスコアが第一の閾値(例えば、「0.9」)を超えた場合には、端末3に対する対処を決定する。図6に例示するように、端末3の感染疑いスコアが「1.0」となっており、第一の閾値を超えているので、端末3への対処を決定する。図6の例では、端末3は感染が確定した端末であるため、対処の内容としては、端末3の隔離を行い、端末3に関する通信を遮断する。 Next, with reference to FIG. 6, description will be given of how to deal with a terminal whose infection is confirmed in the attack countermeasure device 40. FIG. 6 is a diagram for explaining how to deal with a terminal whose infection is confirmed in the attack countermeasure apparatus according to the first embodiment. The attack countermeasure device 40 determines a countermeasure for the terminal 3 when the infection suspect score of the terminal 3 exceeds a first threshold (for example, “0.9”). As illustrated in FIG. 6, since the suspected infection score of the terminal 3 is “1.0” and exceeds the first threshold value, it is determined to deal with the terminal 3. In the example of FIG. 6, since the terminal 3 is a terminal for which infection has been confirmed, as the content of the countermeasure, the terminal 3 is isolated and communication related to the terminal 3 is blocked.

 次に、図7および図8を用いて、新たな事象として、端末4から端末5への攻撃をセキュリティ装置20が検知した場合における特定装置10および攻撃対処装置40の処理について説明する。図7は、第一の実施の形態に係る特定装置において感染の疑いがある端末および感染端末の候補を特定する処理を説明する図である。図8は、第一の実施の形態に係る攻撃対処装置において感染の可能性が高い端末に対する対処を説明する図である。 Next, the processing of the specific device 10 and the attack countermeasure device 40 when the security device 20 detects an attack from the terminal 4 to the terminal 5 as a new event will be described with reference to FIGS. FIG. 7 is a diagram for explaining a process for identifying a terminal suspected of being infected and a candidate for an infected terminal in the identifying apparatus according to the first embodiment. FIG. 8 is a diagram for explaining how to deal with a terminal having a high possibility of infection in the attack countermeasure apparatus according to the first embodiment.

 図7に例示するように、特定装置10の状態特定部11は、セキュリティ装置20から受信した検知情報(端末4から端末5への攻撃)をもとに、端末4および端末5の状態を特定する。ここで、端末4から端末5への攻撃を検知した場合、端末4がマルウェアに感染したことが確定しているものと判断可能なため、端末4の状態を感染状態と特定し、感染疑いスコアに「1.0」を加算し、端末4の感染疑いスコア「1.0」とする。また、図7の例では、端末4への感染経路候補として、インターネット80よりNW機器60を介して直接行われた攻撃、端末2を介した攻撃の合計2通りの経路が考えられる。このため、感染経路となりうる通信経路の数「2」から加算する感染疑いスコアを「0.5(1/2)」とし、感染経路候補上に位置する端末2の感染疑いスコアに「0.5」を加算する。この結果、端末2の感染疑いスコアが「0.83」となる。 As illustrated in FIG. 7, the state specifying unit 11 of the specifying device 10 specifies the states of the terminal 4 and the terminal 5 based on the detection information received from the security device 20 (attack from the terminal 4 to the terminal 5). To do. Here, when an attack from the terminal 4 to the terminal 5 is detected, it can be determined that the terminal 4 has been infected with malware. Therefore, the state of the terminal 4 is identified as an infectious state, and a suspected infection score “1.0” is added to the terminal 4, and the infection suspect score “1.0” of the terminal 4 is set. In the example of FIG. 7, there are two possible routes that can be considered as infection route candidates to the terminal 4, that is, an attack directly made from the Internet 80 via the NW device 60 and an attack via the terminal 2. For this reason, the infection suspicion score to be added from the number “2” of communication paths that can be infection routes is set to “0.5 (1/2)”, and the infection suspicion score of the terminal 2 located on the infection route candidate is “0. 5 ”is added. As a result, the infection suspicion score of the terminal 2 is “0.83”.

 また、端末5は、端末4から端末5への攻撃を受けているので、端末5の状態を被攻撃状態と特定し、ここでは、感染疑いスコアに「0.5」を加算し、感染リスクスコアに「1.0」を加算する。この結果、端末5の感染疑いスコアが「0.5」となり、感染リスクスコアが「1.1」となる。 Further, since the terminal 5 is under attack from the terminal 4 to the terminal 5, the state of the terminal 5 is identified as the attacked state, and here, "0.5" is added to the infection suspect score, and the infection risk Add “1.0” to the score. As a result, the infection suspicion score of the terminal 5 is “0.5”, and the infection risk score is “1.1”.

 そして、図8に例示するように、攻撃対処装置40は、感染疑いスコアが第二の閾値(例えば、「0.7」)を超えた場合には、端末2に対する対処として、通信監視および通信制限を決定する。図8に例示するように、端末2の感染疑いスコアが「0.83」となっており、第二の閾値を超えているので、端末2への対処を決定する。図8の例では、端末2は感染している可能性が高い端末であるため、対処の内容としては、通信監視および通信制限の対処を行う。このように、感染している可能性が高い端末に対して、通信監視および通信制限の対処を行うことで、端末2が感染していた場合の新たな端末50への感染拡大および端末2から外部C&C通信接続等を防ぐことができる。 Then, as illustrated in FIG. 8, when the suspected infection score exceeds the second threshold (for example, “0.7”), the attack countermeasure device 40 performs communication monitoring and communication as a countermeasure for the terminal 2. Determine limits. As illustrated in FIG. 8, since the suspected infection score of the terminal 2 is “0.83” and exceeds the second threshold value, it is determined to deal with the terminal 2. In the example of FIG. 8, since the terminal 2 is a terminal that has a high possibility of being infected, the contents of countermeasures include communication monitoring and countermeasures for communication restriction. In this way, by performing communication monitoring and communication restriction on a terminal that is highly likely to be infected, the spread of infection to a new terminal 50 when the terminal 2 is infected, and from the terminal 2 External C & C communication connection and the like can be prevented.

 このように、特定システム1では、セキュリティ装置20が攻撃を検知する度に、上記したように特定装置10が感染の疑いがある端末や今後感染する可能性のある端末の候補を特定する処理を繰り返す事により、感染疑い端末の候補を特定し、さらに例えば候補端末に対して候補となった回数や感染疑いを数値化した情報を累積演算する事により、検知した端末以外の感染端末を特定および、感染していた場合の侵入拡大・被害発生の低減を行う事が可能となる。 Thus, in the specific system 1, every time the security device 20 detects an attack, as described above, the specific device 10 performs a process of specifying a terminal that is suspected of being infected or a terminal that is likely to be infected in the future. By repeating the process, the candidate of the suspected infection terminal is identified, and the infected terminal other than the detected terminal is identified and calculated by, for example, accumulating the number of times the candidate terminal has become a candidate and the information quantifying the suspected infection. In case of infection, it is possible to expand the invasion and reduce the occurrence of damage.

[特定装置の処理の流れ]
 次に、図9を用いて、第一の実施の形態に係る特定装置10の処理の流れを説明する。図9は、第一の実施の形態に係る特定装置の処理の流れを示すフローチャートである。 [Process flow of specific device]
Next, the flow of processing of the specifying device 10 according to the first embodiment will be described with reference to FIG. FIG. 9 is a flowchart showing the flow of processing of the specific apparatus according to the first embodiment.

 図9に示すように、特定装置10の状態特定部11は、セキュリティ装置20から検知情報を受信すると(ステップS101肯定)、該検知情報に含まれる端末50の情報および該端末の活動内容から当該端末50の状態を特定する(ステップS102)。 As illustrated in FIG. 9, when the state specifying unit 11 of the specifying device 10 receives the detection information from the security device 20 (Yes in Step S101), the state specifying unit 11 determines the information from the information on the terminal 50 and the activity content of the terminal included in the detection information. The state of the terminal 50 is specified (step S102).

 そして、特定装置10の感染特定部12は、状態特定部11によって端末50の状態がマルウェアに感染した状態であると特定された際に、構成情報記憶装置30に記憶された接続情報を参照し、感染端末と接続関係にある端末が存在するか否かを判定する(ステップS103)。 Then, the infection specifying unit 12 of the specifying device 10 refers to the connection information stored in the configuration information storage device 30 when the state specifying unit 11 specifies that the state of the terminal 50 is infected with malware. Then, it is determined whether there is a terminal connected to the infected terminal (step S103).

 この結果、特定装置10の感染特定部12は、感染端末と接続関係にある端末が存在しないと判定した場合には(ステップS103否定)、構成情報記憶装置30の端末の状態情報を更新して(ステップS105)、処理を終了する。 As a result, if the infection identification unit 12 of the identification device 10 determines that there is no terminal connected to the infected terminal (No at Step S103), the infection identification unit 12 updates the state information of the terminal in the configuration information storage device 30. (Step S105), the process ends.

 また、特定装置10の感染特定部12は、感染端末と接続関係にある端末が存在すると判定した場合には(ステップS103肯定)、感染端末と接続関係にある各端末50について、感染端末へ至る経路上にある端末50を感染疑い端末と特定し、感染端末の先に位置する端末を感染候補端末と特定する(ステップS104)。構成情報記憶装置30の端末の状態情報を更新して(ステップS105)、処理を終了する。 In addition, when the infection identification unit 12 of the identification device 10 determines that there is a terminal connected to the infected terminal (Yes in step S103), each terminal 50 connected to the infected terminal reaches the infected terminal. The terminal 50 on the route is identified as the suspected infection terminal, and the terminal located ahead of the infected terminal is identified as the infection candidate terminal (step S104). The state information of the terminal of the configuration information storage device 30 is updated (step S105), and the process ends.

[特定システムの処理の流れ]
 次に、図10を用いて、第一の実施の形態に係る特定システム1の処理の流れを説明する。図10は、第一の実施の形態に係る特定システムの処理の流れを示すシーケンス図である。 [Processing flow of specific system]
Next, the flow of processing of the identification system 1 according to the first embodiment will be described with reference to FIG. FIG. 10 is a sequence diagram showing a flow of processing of the specific system according to the first embodiment.

 図10に示すように、セキュリティ装置20は、不正通信等を検知すると(ステップS201)、検知情報を特定装置10へ送信する(ステップS202)。特定装置10は、検知情報を受信すると、検知情報を用いて、端末50の状態を特定する(ステップS203)。具体的には、特定装置10は、該検知情報に含まれる端末50の情報および該端末の活動内容から端末50の状態を特定する。 As shown in FIG. 10, when the security device 20 detects unauthorized communication or the like (step S201), the security device 20 transmits detection information to the specific device 10 (step S202). When receiving the detection information, the specifying device 10 specifies the state of the terminal 50 using the detection information (step S203). Specifically, the specifying device 10 specifies the state of the terminal 50 from the information of the terminal 50 included in the detection information and the activity content of the terminal.

 そして、特定装置10は、端末50の状態がマルウェアに感染した状態であると特定した際には、構成情報記憶装置30に記憶された接続情報を要求する(ステップS204)。続いて、特定装置10は、要求した接続情報を参照し(ステップS205)、感染端末と接続関係にある各端末50について、感染端末へ至る経路上にある端末50を感染疑い端末と特定し、感染端末の先に位置する端末を感染候補端末と特定する(ステップS206)。その後、特定装置10は、構成情報記憶装置30の端末の状態情報を更新して(ステップS207)、処理を終了する。 And the specific apparatus 10 requests | requires the connection information memorize | stored in the structure information storage device 30, when it specifies that the state of the terminal 50 is the state infected with the malware (step S204). Subsequently, the identifying device 10 refers to the requested connection information (step S205), and for each terminal 50 connected to the infected terminal, identifies the terminal 50 on the path leading to the infected terminal as a suspected terminal, A terminal located ahead of the infected terminal is identified as an infection candidate terminal (step S206). Thereafter, the identification device 10 updates the state information of the terminal in the configuration information storage device 30 (step S207) and ends the process.

[第一の実施の形態の効果]
 このように、第一の実施の形態に係る特定装置10は、ネットワーク内への不正侵入または端末50の感染に関する活動を検知するセキュリティ装置20から検知情報を受信し、該検知情報に含まれる端末50の情報および該端末50の活動内容から当該端末50の状態を特定する。そして、特定装置10は、状態特定部11によって端末50の状態がマルウェアに感染した状態であると特定された場合には、構成情報記憶装置30によって記憶された接続情報に基づいて、検知情報に含まれる端末50の活動内容に至るまでに感染した疑いがある端末50を特定し、感染した端末50が今後不正侵入または端末の感染に用いる可能性がある経路上に位置する端末50を感染する可能性がある感染端末の候補と特定する。このため、感染端末を検知するだけでなく、感染の疑いがある端末や今後感染する可能性がある感染端末の候補を特定することが可能となる。 [Effect of the first embodiment]
As described above, the specific device 10 according to the first embodiment receives the detection information from the security device 20 that detects the activity related to the unauthorized intrusion into the network or the infection of the terminal 50, and the terminal included in the detection information The state of the terminal 50 is specified from the information of 50 and the activity content of the terminal 50. Then, when the state specifying unit 11 specifies that the state of the terminal 50 is infected with malware, the specifying device 10 uses the connection information stored in the configuration information storage device 30 as detection information. The terminal 50 that is suspected of being infected before reaching the activity content of the included terminal 50 is identified, and the infected terminal 50 infects the terminal 50 that is located on a route that may be used for unauthorized intrusion or terminal infection in the future. Identify potential infected terminal candidates. For this reason, it is possible not only to detect an infected terminal, but also to identify a terminal that is suspected of being infected or an infected terminal that may be infected in the future.

 つまり、特定装置10は、例えば、標的型攻撃やAPT攻撃に関する事象等を検知した際に、検知した端末だけでなく、検知した端末への経路となった端末や侵入・感染拡大先端末の候補を特定する事が可能となり、これらの端末の監視強化や通信制限、通信遮断等の対処を行う事が可能となる。 That is, for example, when the specific device 10 detects an event related to a target-type attack or an APT attack, the specific device 10 is not only a detected terminal, but also a candidate for a terminal that is a route to the detected terminal or an intrusion / infection destination terminal It is possible to identify such terminals, and it is possible to take measures such as strengthening monitoring of these terminals, restricting communication, and blocking communication.

[システム構成等]
 また、図示した各装置の各構成要素は機能概念的なものであり、必ずしも物理的に図示の如く構成されていることを要しない。すなわち、各装置の分散・統合の具体的形態は図示のものに限られず、その全部または一部を、各種の負荷や使用状況などに応じて、任意の単位で機能的または物理的に分散・統合して構成することができる。例えば、特定装置10の状態特定部11と感染特定部12の機能について、それぞれの機能を別々の装置が有するようにしてもよい。また、例えば、特定装置10が、構成情報記憶装置30の情報を記憶するようにしてもよいし、攻撃対処装置40の機能を有するようにしてもよい。さらに、各装置にて行なわれる各処理機能は、その全部または任意の一部が、CPUおよび当該CPUにて解析実行されるプログラムにて実現され、あるいは、ワイヤードロジックによるハードウェアとして実現され得る。 [System configuration, etc.]
Further, each component of each illustrated apparatus is functionally conceptual, and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured. For example, regarding the functions of the state specifying unit 11 and the infection specifying unit 12 of the specifying device 10, different devices may have the respective functions. Further, for example, the specific device 10 may store information in the configuration information storage device 30 or may have the function of the attack countermeasure device 40. Further, all or any part of each processing function performed in each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.

 また、本実施形態において説明した各処理のうち、自動的におこなわれるものとして説明した処理の全部または一部を手動的におこなうこともでき、あるいは、手動的におこなわれるものとして説明した処理の全部または一部を公知の方法で自動的におこなうこともできる。この他、上記文書中や図面中で示した処理手順、制御手順、具体的名称、各種のデータやパラメータを含む情報については、特記する場合を除いて任意に変更することができる。 In addition, among the processes described in the present embodiment, all or part of the processes described as being automatically performed can be manually performed, or the processes described as being manually performed can be performed. All or a part can be automatically performed by a known method. In addition, the processing procedure, control procedure, specific name, and information including various data and parameters shown in the above-described document and drawings can be arbitrarily changed unless otherwise specified.

[プログラム]
 また、一実施形態として、特定装置10は、パッケージソフトウェアやオンラインソフトウェアとして上記の特定処理を実行する特定プログラムを所望のコンピュータにインストールさせることによって実装できる。例えば、上記の特定プログラムを情報処理装置に実行させることにより、情報処理装置を特定装置10として機能させることができる。ここで言う情報処理装置には、例えば、デスクトップ型またはノート型のパーソナルコンピュータが含まれる。また、ユーザが使用する端末装置をクライアントとし、当該クライアントに上記の特定処理に関するサービスを提供するサーバ装置として実装することもできる。例えば、特定装置10は、感染端末を検知するだけでなく、感染の疑いがある端末や今後感染する可能性がある感染端末の候補を特定する処理サービスを提供するサーバ装置として実装される。この場合、特定装置10は、Webサーバとして実装することとしてもよいし、アウトソーシングによって上記の特定処理に関するサービスを提供するクラウドとして実装することとしてもかまわない。 [program]
Further, as one embodiment, the specifying device 10 can be implemented by installing a specific program for executing the above specific processing as package software or online software on a desired computer. For example, the information processing apparatus can be caused to function as the specific apparatus 10 by causing the information processing apparatus to execute the above specific program. The information processing apparatus referred to here includes, for example, a desktop or notebook personal computer. In addition, a terminal device used by a user can be used as a client, and the client can be implemented as a server device that provides services related to the specific processing to the client. For example, the identification device 10 is implemented as a server device that not only detects an infected terminal, but also provides a processing service that identifies a terminal that is suspected of being infected or a candidate for an infected terminal that may be infected in the future. In this case, the specific device 10 may be implemented as a Web server, or may be implemented as a cloud that provides a service related to the above specific processing by outsourcing.

 図11は、特定プログラムを実行するコンピュータを示す図である。コンピュータ1000は、例えば、メモリ1010、CPU(Central Processing Unit)1020を有する。また、コンピュータ1000は、ハードディスクドライブインタフェース1030、ディスクドライブインタフェース1040、シリアルポートインタフェース1050、ビデオアダプタ1060、ネットワークインタフェース1070を有する。これらの各部は、バス1080によって接続される。 FIG. 11 is a diagram illustrating a computer that executes a specific program. The computer 1000 includes, for example, a memory 1010 and a CPU (Central Processing Unit) 1020. The computer 1000 also includes a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These units are connected by a bus 1080.

 メモリ1010は、ROM(Read Only Memory)1011及びRAM(Random Access Memory)1012を含む。ROM1011は、例えば、BIOS(Basic Input Output System)等のブートプログラムを記憶する。ハードディスクドライブインタフェース1030は、ハードディスクドライブ1031に接続される。ディスクドライブインタフェース1040は、ディスクドライブ1041に接続される。例えば磁気ディスクや光ディスク等の着脱可能な記憶媒体が、ディスクドライブ1041に挿入される。シリアルポートインタフェース1050は、例えばマウス1051、キーボード1052に接続される。ビデオアダプタ1060は、例えばディスプレイ1061に接続される。 The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1031. The disk drive interface 1040 is connected to the disk drive 1041. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1041. The serial port interface 1050 is connected to a mouse 1051 and a keyboard 1052, for example. The video adapter 1060 is connected to the display 1061, for example.

 ハードディスクドライブ1031は、例えば、OS1091、アプリケーションプログラム1092、プログラムモジュール1093、プログラムデータ1094を記憶する。すなわち、特定装置10の各処理を規定するプログラムは、コンピュータにより実行可能なコードが記述されたプログラムモジュール1093として実装される。プログラムモジュール1093は、例えばハードディスクドライブ1031に記憶される。例えば、特定装置10における機能構成と同様の処理を実行するためのプログラムモジュール1093が、ハードディスクドライブ1031に記憶される。なお、ハードディスクドライブ1031は、SSD(Solid State Drive)により代替されてもよい。 The hard disk drive 1031 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. That is, a program that defines each process of the specific device 10 is implemented as a program module 1093 in which a code executable by a computer is described. The program module 1093 is stored in the hard disk drive 1031, for example. For example, a program module 1093 for executing processing similar to the functional configuration in the specific device 10 is stored in the hard disk drive 1031. The hard disk drive 1031 may be replaced by an SSD (Solid State Drive).

 また、上述した実施形態の処理で用いられる設定データは、プログラムデータ1094として、例えばメモリ1010やハードディスクドライブ1031に記憶される。そして、CPU1020が、メモリ1010やハードディスクドライブ1031に記憶されたプログラムモジュール1093やプログラムデータ1094を必要に応じてRAM1012に読み出して実行する。 Further, the setting data used in the processing of the above-described embodiment is stored as program data 1094 in, for example, the memory 1010 or the hard disk drive 1031. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the memory 1010 and the hard disk drive 1031 to the RAM 1012 as necessary, and executes them.

 なお、プログラムモジュール1093やプログラムデータ1094は、ハードディスクドライブ1031に記憶される場合に限らず、例えば着脱可能な記憶媒体に記憶され、ディスクドライブ1041等を介してCPU1020によって読み出されてもよい。あるいは、プログラムモジュール1093及びプログラムデータ1094は、ネットワーク(LAN(Local Area Network)、WAN(Wide Area Network)等)を介して接続された他のコンピュータに記憶されてもよい。そして、プログラムモジュール1093及びプログラムデータ1094は、他のコンピュータから、ネットワークインタフェース1070を介してCPU1020によって読み出されてもよい。 The program module 1093 and the program data 1094 are not limited to being stored in the hard disk drive 1031, but may be stored in, for example, a removable storage medium and read out by the CPU 1020 via the disk drive 1041 or the like. Alternatively, the program module 1093 and the program data 1094 may be stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.). Then, the program module 1093 and the program data 1094 may be read by the CPU 1020 from another computer via the network interface 1070.

 1 特定システム
 10 特定装置
 11 状態特定部
 12 感染特定部
 20 セキュリティ装置
 30 構成情報記憶装置
 40 攻撃対処装置
 50、50A~50E 端末
 60 NW機器
 70 メールサーバ
 80 インターネット DESCRIPTION OF SYMBOLS 1 Specific system 10 Specific apparatus 11 State specific part 12 Infection specific part 20 Security apparatus 30 Configuration information storage apparatus 40 Attack countermeasure apparatus 50, 50A-50E Terminal 60 NW apparatus 70 Mail server 80 Internet

Claims (9)

 ネットワーク内の端末に関する情報を記憶する構成情報記憶装置と、前記端末の状態を特定する特定装置とを有する特定システムであって、
 前記構成情報記憶装置は、前記ネットワーク内における端末同士の接続関係を示す接続情報を記憶し、
 前記特定装置は、
 前記ネットワーク内への不正侵入または端末の感染に関する活動を検知するセキュリティ装置から検知情報を受信し、該検知情報に含まれる端末の情報および該端末の活動内容から当該端末の状態を特定する状態特定部と、
 前記状態特定部によって前記端末の状態がマルウェアに感染した状態であると特定された場合には、前記構成情報記憶装置によって記憶された接続情報に基づいて、前記検知情報に含まれる端末の活動内容に至るまでに感染した疑いがある端末を特定し、感染した端末が今後不正侵入または端末の感染に用いる可能性がある経路上に位置する端末を感染する可能性がある感染端末の候補と特定する感染特定部と
 を有することを特徴とする特定システム。 A specific system having a configuration information storage device for storing information related to a terminal in a network and a specific device for specifying a state of the terminal;
The configuration information storage device stores connection information indicating a connection relationship between terminals in the network,
The specific device is:
State identification that receives detection information from a security device that detects activities related to unauthorized intrusion into the network or terminal infection, and identifies the state of the terminal from the information on the terminal included in the detection information and the activity content of the terminal And
If the state specifying unit specifies that the state of the terminal is infected with malware, based on the connection information stored by the configuration information storage device, the activity content of the terminal included in the detection information Identifying a terminal that is suspected of being infected until it reaches the point of infection, and identifying an infected terminal candidate that may infect a terminal that is located on a route that the infected terminal may use in the future for unauthorized intrusion or terminal infection An identification system characterized by having an infection identification unit.  前記状態特定部は、前記検知情報が通信に関する情報である場合には、該通信の送信元アドレスおよび送信先アドレスに対応する端末の状態を特定し、前記検知情報が端末に関する情報である場合には、該端末の状態を特定することを特徴とする請求項1に記載の特定システム。 When the detection information is information related to communication, the state specifying unit specifies the state of the terminal corresponding to the transmission source address and the transmission destination address of the communication, and when the detection information is information related to the terminal 2. The identification system according to claim 1, wherein the state of the terminal is identified.  前記構成情報記憶装置は、前記ネットワーク内の端末のアドレス情報、前記状態特定部によって特定された端末の状態を示す端末状態情報、前記感染特定部によって特定された感染の疑いがある端末および感染端末の候補を記憶することを特徴とする請求項1または2に記載の特定システム。 The configuration information storage device includes address information of terminals in the network, terminal status information indicating a status of the terminal specified by the status specifying unit, a suspected infection specified by the infection specifying unit, and an infected terminal The specific system according to claim 1, wherein candidates are stored.  前記感染特定部は、前記状態特定部によって特定された感染端末の感染経路となりうる通信経路に含まれる端末を感染の疑いがある端末と特定し、前記感染経路となりうる通信経路の数と、過去の端末の状態とに基づいて、感染の疑いがある各端末について、感染の疑いの度合いを示す数値を算出することを特徴とする請求項1または2に記載の特定システム。 The infection identification unit identifies a terminal included in a communication path that can be an infection route of the infected terminal identified by the state identification unit as a terminal that is suspected of being infected, the number of communication routes that can be the infection route, and the past The identification system according to claim 1 or 2, wherein a numerical value indicating the degree of suspicion of infection is calculated for each terminal suspected of being infected based on the state of the terminal.  前記感染特定部は、前記状態特定部によって特定された感染端末を起点に、前記接続情報を用いて、前記感染端末からの感染が可能である端末を感染する可能性がある感染端末の候補と特定することを特徴とする請求項1または2に記載の特定システム。 The infection identification unit starts with the infected terminal identified by the state identification unit, and uses the connection information to identify infected terminal candidates that may infect terminals that can be infected from the infected terminal. 3. The specifying system according to claim 1, wherein the specifying system is specified.  前記特定システムは、さらに攻撃対処装置を有し、
 前記攻撃対処装置は、前記状態特定部によって特定された感染端末と、前記感染特定部によって特定された感染の疑いがある端末のうち感染の疑いが高い端末とに対して、通信の遮断、通信の監視または通信の制限を行うことを特徴とする請求項1または2に記載の特定システム。 The specific system further includes an attack countermeasure device,
The attack handling apparatus blocks communication with an infected terminal identified by the state identifying unit and a terminal with a high suspicion of infection among terminals suspected of being identified identified by the infection identifying unit. The specific system according to claim 1, wherein monitoring or communication restriction is performed.  前記攻撃対処装置は、前記端末の感染の疑いの度合いを示す感染疑いスコアが第1の閾値を超えた場合は、当該端末の通信を遮断し、第2の閾値を超えた場合は、当該端末の通信監視および通信制限を行うことを特徴とする請求項6に記載の特定システム。 The attack coping apparatus blocks communication of the terminal when the infection suspicion score indicating the degree of suspicion of infection of the terminal exceeds the first threshold, and when the terminal exceeds the second threshold, 7. The specific system according to claim 6, wherein communication monitoring and communication restriction are performed.  複数の端末を含むネットワーク内への不正侵入または端末の感染に関する活動を検知するセキュリティ装置から検知に関する検知情報を受信し、該検知情報に含まれる端末の情報および該端末の活動内容から当該端末の状態を特定する状態特定部と、
 前記状態特定部によって前記端末の状態がマルウェアに感染した状態であると特定された場合には、ネットワーク内の端末同士の接続関係を示す接続情報に基づいて、前記検知情報に含まれる端末の活動内容に至るまでに感染した疑いがある端末を特定し、感染した端末が今後不正侵入または端末の感染に用いる可能性がある経路上に位置する端末を感染する可能性がある感染端末の候補と特定する感染特定部と
 を有することを特徴とする特定装置。 Detection information about detection is received from a security device that detects activities related to unauthorized intrusion into a network including a plurality of terminals or terminal infection, and the terminal information and the activity contents of the terminal included in the detection information A state identifying unit for identifying a state;
When the state specifying unit specifies that the state of the terminal is infected with malware, the activity of the terminal included in the detection information based on connection information indicating a connection relationship between terminals in the network Identify the terminal that is suspected of being infected up to the contents, and the infected terminal candidate that may infect the terminal located on the route that may be used for unauthorized intrusion or terminal infection in the future An identification device comprising: an infection identification unit for identification.  特定装置によって実行される特定方法であって、
 複数の端末を含むネットワーク内への不正侵入または端末の感染に関する活動を検知するセキュリティ装置から検知に関する検知情報を受信し、該検知情報に含まれる端末の情報および該端末の活動内容から当該端末の状態を特定する状態特定工程と、
 前記状態特定工程によって前記端末の状態がマルウェアに感染した状態であると特定された場合には、ネットワーク内の端末同士の接続関係を示す接続情報に基づいて、前記検知情報に含まれる端末の活動内容に至るまでに感染した疑いがある端末を特定し、感染した端末が今後不正侵入または端末の感染に用いる可能性がある経路上に位置する端末を感染する可能性がある感染端末の候補と特定する感染特定工程と
 を含んだことを特徴とする特定方法。 A specific method performed by a specific device,
Detection information about detection is received from a security device that detects activities related to unauthorized intrusion into a network including a plurality of terminals or terminal infection, and the terminal information and the activity contents of the terminal included in the detection information A state identification step for identifying a state;
In the case where the state of the terminal is identified as being infected with malware by the state identification step, the activity of the terminal included in the detection information based on connection information indicating a connection relationship between terminals in the network Identify the terminal that is suspected of being infected up to the contents, and the infected terminal candidate that may infect the terminal located on the route that may be used for unauthorized intrusion or terminal infection in the future An identification method characterized by including an infection identification step to identify.
PCT/JP2016/079620 2015-10-06 2016-10-05 Identification system, identification device and identification method Ceased WO2017061469A1 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
CN201680057393.7A CN108141408B (en) 2015-10-06 2016-10-05 Determination system, determination device, and determination method
US15/765,527 US10972490B2 (en) 2015-10-06 2016-10-05 Specifying system, specifying device, and specifying method
AU2016335722A AU2016335722B2 (en) 2015-10-06 2016-10-05 Identification system, identification device and identification method
EP16853623.3A EP3337106B1 (en) 2015-10-06 2016-10-05 Identification system, identification device and identification method
JP2017544527A JP6405055B2 (en) 2015-10-06 2016-10-05 SPECIFIC SYSTEM, SPECIFIC DEVICE, AND SPECIFIC METHOD

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2015198753 2015-10-06
JP2015-198753 2015-10-06

Publications (1)

Publication Number Publication Date
WO2017061469A1 true WO2017061469A1 (en) 2017-04-13

Family

ID=58487708

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2016/079620 Ceased WO2017061469A1 (en) 2015-10-06 2016-10-05 Identification system, identification device and identification method

Country Status (6)

Country Link
US (1) US10972490B2 (en)
EP (1) EP3337106B1 (en)
JP (1) JP6405055B2 (en)
CN (1) CN108141408B (en)
AU (1) AU2016335722B2 (en)
WO (1) WO2017061469A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018157343A (en) * 2017-03-16 2018-10-04 日本電信電話株式会社 Handling instruction device, handling instruction method, handling instruction program
JP2020014061A (en) * 2018-07-13 2020-01-23 株式会社Pfu Information processing apparatus, communication inspection method, and program
WO2020090497A1 (en) * 2018-10-31 2020-05-07 日本電信電話株式会社 Infection probability calculating device, infection probability calculating method, and infection probability calculating program
JP2021044791A (en) * 2019-09-11 2021-03-18 財団法人 資訊工業策進会Institute For Information Industry Attack vector detection method, attack vector detection system and non-temporary computer-readable recording medium

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6577442B2 (en) * 2016-11-01 2019-09-18 日本電信電話株式会社 Unauthorized intrusion prevention device, unauthorized intrusion prevention method and unauthorized intrusion prevention program
JP6723955B2 (en) * 2017-05-12 2020-07-15 日立オートモティブシステムズ株式会社 Information processing apparatus and abnormality coping method
WO2021095223A1 (en) * 2019-11-15 2021-05-20 日本電気株式会社 Analysis system, method, and program
US11693961B2 (en) 2019-12-03 2023-07-04 Sonicwall Inc. Analysis of historical network traffic to identify network vulnerabilities
US20210194915A1 (en) * 2019-12-03 2021-06-24 Sonicwall Inc. Identification of potential network vulnerability and security responses in light of real-time network risk assessment
US11388176B2 (en) 2019-12-03 2022-07-12 Sonicwall Inc. Visualization tool for real-time network risk assessment
US20220159029A1 (en) * 2020-11-13 2022-05-19 Cyberark Software Ltd. Detection of security risks based on secretless connection data

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008141398A (en) * 2006-11-30 2008-06-19 Mitsubishi Electric Corp RELAY DEVICE AND RELAY DEVICE CONTROL METHOD
JP2009117929A (en) * 2007-11-02 2009-05-28 Nippon Telegr & Teleph Corp <Ntt> Unauthorized access monitoring apparatus and method
JP2011101172A (en) * 2009-11-05 2011-05-19 Nec Corp Worm infection source specification system, specification method and specification program, agent, and manager computer
JP2015095159A (en) * 2013-11-13 2015-05-18 日本電信電話株式会社 Evaluation method and evaluation apparatus

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7194769B2 (en) 2003-12-11 2007-03-20 Massachusetts Institute Of Technology Network security planning architecture
US8117659B2 (en) * 2005-12-28 2012-02-14 Microsoft Corporation Malicious code infection cause-and-effect analysis
US8381289B1 (en) * 2009-03-31 2013-02-19 Symantec Corporation Communication-based host reputation system
US8341745B1 (en) * 2010-02-22 2012-12-25 Symantec Corporation Inferring file and website reputations by belief propagation leveraging machine reputation
US8938800B2 (en) * 2010-07-28 2015-01-20 Mcafee, Inc. System and method for network level protection against malicious software
US9071636B2 (en) * 2011-12-21 2015-06-30 Verizon Patent And Licensing Inc. Predictive scoring management system for application behavior
CN103248613B (en) * 2012-02-09 2014-07-23 腾讯科技(深圳)有限公司 Method and device for controlling network access of application program
US8813236B1 (en) * 2013-01-07 2014-08-19 Narus, Inc. Detecting malicious endpoints using network connectivity and flow information
US9148441B1 (en) * 2013-12-23 2015-09-29 Symantec Corporation Systems and methods for adjusting suspiciousness scores in event-correlation graphs
US9191403B2 (en) * 2014-01-07 2015-11-17 Fair Isaac Corporation Cyber security adaptive analytics threat monitoring system and method
US10164995B1 (en) * 2014-08-14 2018-12-25 Pivotal Software, Inc. Determining malware infection risk
US11128641B2 (en) * 2015-08-28 2021-09-21 Hewlett Packard Enterprise Development Lp Propagating belief information about malicious and benign nodes

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008141398A (en) * 2006-11-30 2008-06-19 Mitsubishi Electric Corp RELAY DEVICE AND RELAY DEVICE CONTROL METHOD
JP2009117929A (en) * 2007-11-02 2009-05-28 Nippon Telegr & Teleph Corp <Ntt> Unauthorized access monitoring apparatus and method
JP2011101172A (en) * 2009-11-05 2011-05-19 Nec Corp Worm infection source specification system, specification method and specification program, agent, and manager computer
JP2015095159A (en) * 2013-11-13 2015-05-18 日本電信電話株式会社 Evaluation method and evaluation apparatus

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018157343A (en) * 2017-03-16 2018-10-04 日本電信電話株式会社 Handling instruction device, handling instruction method, handling instruction program
JP2020014061A (en) * 2018-07-13 2020-01-23 株式会社Pfu Information processing apparatus, communication inspection method, and program
JP7045949B2 (en) 2018-07-13 2022-04-01 株式会社Pfu Information processing equipment, communication inspection method and program
WO2020090497A1 (en) * 2018-10-31 2020-05-07 日本電信電話株式会社 Infection probability calculating device, infection probability calculating method, and infection probability calculating program
JP2021044791A (en) * 2019-09-11 2021-03-18 財団法人 資訊工業策進会Institute For Information Industry Attack vector detection method, attack vector detection system and non-temporary computer-readable recording medium
US11689558B2 (en) 2019-09-11 2023-06-27 Institute For Information Industry Attack path detection method, attack path detection system and non-transitory computer-readable medium

Also Published As

Publication number Publication date
AU2016335722A1 (en) 2018-04-12
AU2016335722B2 (en) 2020-01-30
US10972490B2 (en) 2021-04-06
CN108141408B (en) 2021-01-15
US20190081970A1 (en) 2019-03-14
EP3337106A4 (en) 2019-04-03
EP3337106A1 (en) 2018-06-20
CN108141408A (en) 2018-06-08
JP6405055B2 (en) 2018-10-17
JPWO2017061469A1 (en) 2018-02-15
EP3337106B1 (en) 2020-02-19

Similar Documents

Publication Publication Date Title
JP6405055B2 (en) SPECIFIC SYSTEM, SPECIFIC DEVICE, AND SPECIFIC METHOD
US11843666B2 (en) Sub-networks based security method, apparatus and product
US10311235B2 (en) Systems and methods for malware evasion management
EP3127301B1 (en) Using trust profiles for network breach detection
US10044740B2 (en) Method and apparatus for detecting security anomalies in a public cloud environment using network activity monitoring, application profiling and self-building host mapping
CN102694820B (en) Processing method of signature rule, server and intrusion defending system
US9548990B2 (en) Detecting a heap spray attack
US9336386B1 (en) Exploit detection based on heap spray detection
US12261877B2 (en) Detecting malware infection path in a cloud computing environment utilizing a security graph
EP3252648B1 (en) Security measure invalidation prevention device, security measure invalidation prevention method, and security measure invalidation prevention program
JP6592196B2 (en) Malignant event detection apparatus, malignant event detection method, and malignant event detection program
JP7166969B2 (en) Router attack detection device, router attack detection program, and router attack detection method
US20230208862A1 (en) Detecting malware infection path in a cloud computing environment utilizing a security graph
US12321461B2 (en) Attack graph processing device, method, and program
US20250039201A1 (en) Information processing system, information processing method, and computer-readable recording medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16853623

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2017544527

Country of ref document: JP

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 2016853623

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2016335722

Country of ref document: AU

Date of ref document: 20161005

Kind code of ref document: A